CMSIMPLE EXPLOIT

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
Post Reply
beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

CMSIMPLE EXPLOIT

Post by beate_r » Sun Jun 01, 2008 11:13 am

Hallo,

sometimes one awakens when an important site is hacked...

... google shows a lot of hacks from somebody from turkey. This demonstrates that there is at least two exploits for CMSIMPLE.
Up to now i have found the following which is is described *here*:

Edit by Holger:
Thanks for your help and your first-aid solution!
But please, do not quote exploits or link to sites with exploits in this forum. We won't fill googles index with such stuff.
/Holger


As a first aid protection one might consider blocking access to URLs containing the argument "sl=" on the webserver. In nginx, an appropriate rewrite rule might look like this:

Code: Select all

        location / {
            root        /var/www/example.com;
            index       index.html;
            fastcgi_index index.php;

            if ( $args ~ "sl=" ) {
                return 403;
            }
            include     /etc/nginx/fastcgi_params;
Please note that the argument must be checked before fastcgi-processing.

In apache, this should probably be done within an appropriate .htaccess.

I have not tested it for possible side effects except that page editing and downloads of regular content through the cms still works.

This should be taken as a first aid only, until a real fix is available

Beate
Last edited by beate_r on Sun Jun 01, 2008 2:02 pm, edited 1 time in total.

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: CMSIMPLE EXPLOIT

Post by beate_r » Sun Jun 01, 2008 12:19 pm

Und wenn wir schon dabei sind, ein vielsagender Auszug aus dem Log einer Site, auf der normalerweise nichts los ist.

Edit by Holger:
Please do not quote exploits or link to sites with exploits in this forum.



Beate

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: CMSIMPLE EXPLOIT

Post by beate_r » Sun Jun 01, 2008 5:31 pm

Note: harteg's fix also applies for some older versions, e.g., 2.9.

Beate

Post Reply